summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2010-11-06 16:46:01 +0100
committerYorhel <git@yorhel.nl>2010-11-06 16:46:01 +0100
commite625403d6108b3f95361ece3c4311dae88747107 (patch)
tree0f456df20316562333d4ae76ce1a02b703279747 /data
parent09307455ced2b60ea2abb161fc59f8efdafefdfa (diff)
Fixed cross-site request forgery vulnerabilities
Diffstat (limited to 'data')
-rw-r--r--data/global.pl1
-rw-r--r--data/lang.txt17
-rw-r--r--data/script.js11
3 files changed, 24 insertions, 5 deletions
diff --git a/data/global.pl b/data/global.pl
index 4046ce10..2d04d149 100644
--- a/data/global.pl
+++ b/data/global.pl
@@ -21,6 +21,7 @@ our %S = (%S,
cookie_domain => '.vndb.org',
cookie_prefix => 'vndb_',
global_salt => 'any-private-string-here',
+ form_salt => 'a-different-private-string-here',
source_url => 'http://git.blicky.net/vndb.git/?h=master',
admin_email => 'contact@vndb.org',
scr_size => [ 136, 102 ], # w*h of screenshot thumbnails
diff --git a/data/lang.txt b/data/lang.txt
index 3b8522c0..c2514330 100644
--- a/data/lang.txt
+++ b/data/lang.txt
@@ -6945,6 +6945,23 @@ hu : A formulát nem lehetett elküldeni, kérlek ellenőrizd, hogy engedélyezv
nl : Formulier kon niet verzonden worden, zorg er voor dat Javascript aan staat in je browserinstellingen.
+# User didn't pass the form code protection
+
+:_formcode_title
+en : Validation code expired
+ru*:
+cs*:
+hu*:
+nl : Validatie code ongeldig
+
+:_formcode_msg
+en : Please hit the back-button of your browser, refresh the page and try again.
+ru*:
+cs*:
+hu*:
+nl : Ga terug naar de vorige pagina, vernieuw deze en probeer het opnieuw.
+
+
# Short message reminding the user to post in ENGLISH (Used at about every message/description input field)
:_inenglish
diff --git a/data/script.js b/data/script.js
index 61f37d66..beac7926 100644
--- a/data/script.js
+++ b/data/script.js
@@ -406,16 +406,17 @@ function rlDropDown(lnk) {
function rlMod() {
var lnk = byId('rlsel_'+this.rl_rid);
+ var code = getText(byId('vnrlist_code'));
ddHide();
setContent(lnk, tag('b', {'class': 'grayedout'}, mt('_js_loading')));
- ajax('/xml/rlist.xml?id='+this.rl_rid+';e='+this.rl_act, function(hr) {
+ ajax('/xml/rlist.xml?formcode='+code+';id='+this.rl_rid+';e='+this.rl_act, function(hr) {
// TODO: get rid of innerHTML here...
lnk.innerHTML = hr.responseXML.getElementsByTagName('rlist')[0].firstChild.nodeValue;
});
return false;
}
-{
+if(byId('vnrlist_code')) {
var l = byClass('a', 'vnrlsel');
for(var i=0;i<l.length;i++)
ddInit(l[i], 'left', rlDropDown);
@@ -1766,7 +1767,7 @@ if(byId('votesel')) {
if(s == 10 && !confirm(mt('_vnpage_uopt_10vote')))
return;
if(s)
- location.href = location.href.replace(/\.[0-9]+/, '')+'/vote?v='+s;
+ location.href = location.href.replace(/\.[0-9]+/, '')+'/vote?formcode='+this.name+';v='+s;
};
}
@@ -1829,7 +1830,7 @@ if(byId('wishsel')) {
byId('wishsel').onchange = function() {
if(this.selectedIndex != 0)
location.href = location.href.replace(/\.[0-9]+/, '')
- +'/wish?s='+this.options[this.selectedIndex].value;
+ +'/wish?formcode='+this.name+';s='+this.options[this.selectedIndex].value;
};
}
@@ -1838,7 +1839,7 @@ if(byId('listsel')) {
byId('listsel').onchange = function() {
if(this.selectedIndex != 0)
location.href = location.href.replace(/\.[0-9]+/, '')
- +'/list?e='+this.options[this.selectedIndex].value;
+ +'/list?formcode='+this.name+';e='+this.options[this.selectedIndex].value;
};
}